diff options
author | Vyacheslav Pedash <vyacheslav.pedash@globallogic.com> | 2023-02-14 13:51:22 +0200 |
---|---|---|
committer | Vyacheslav Pedash <vyacheslav.pedash@globallogic.com> | 2023-02-14 13:51:22 +0200 |
commit | c8ea2db0a9f92c38630f6ae07c1afa342246bf66 (patch) | |
tree | 11c98c396c7e164d54f3b41cf47247895db59581 /recipes-support/ca-certificates | |
parent | cfcae699e62a9272d6dc1529367a0fea2485ba5d (diff) | |
download | meta-mlinux-c8ea2db0a9f92c38630f6ae07c1afa342246bf66.tar.gz meta-mlinux-c8ea2db0a9f92c38630f6ae07c1afa342246bf66.tar.bz2 meta-mlinux-c8ea2db0a9f92c38630f6ae07c1afa342246bf66.zip |
MTX-4791 Update ca-certificates to the latest Debian version. Blacklist expired CA certificates.
Diffstat (limited to 'recipes-support/ca-certificates')
3 files changed, 99 insertions, 4 deletions
diff --git a/recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000..8af5a33 --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch @@ -0,0 +1,80 @@ +From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Mon, 18 Oct 2021 12:05:49 +0200 +Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired + certificates." + +This avoids a dependency on python3-cryptography, and only checks +for expired certs (which is upstream concern, but not ours). + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + debian/changelog | 1 - + debian/control | 2 +- + mozilla/certdata2pem.py | 11 ----------- + 3 files changed, 1 insertion(+), 13 deletions(-) + +diff --git a/debian/changelog b/debian/changelog +index 531e4d0..4006509 100644 +--- a/debian/changelog ++++ b/debian/changelog +@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low + - "Trustis FPS Root CA" + - "Staat der Nederlanden Root CA - G3" + * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) +- * mozilla/certdata2pem.py: print a warning for expired certificates. + + -- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200 + +diff --git a/debian/control b/debian/control +index 4434b7a..5c6ba24 100644 +--- a/debian/control ++++ b/debian/control +@@ -3,7 +3,7 @@ Section: misc + Priority: optional + Maintainer: Julien Cristau <jcristau@debian.org> + Build-Depends: debhelper-compat (= 13), po-debconf +-Build-Depends-Indep: python3, openssl, python3-cryptography ++Build-Depends-Indep: python3, openssl + Standards-Version: 4.5.0.2 + Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git + Vcs-Browser: https://salsa.debian.org/debian/ca-certificates +diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py +index ede23d4..7d796f1 100644 +--- a/mozilla/certdata2pem.py ++++ b/mozilla/certdata2pem.py +@@ -21,16 +21,12 @@ + # USA. + + import base64 +-import datetime + import os.path + import re + import sys + import textwrap + import io + +-from cryptography import x509 +- +- + objects = [] + + # Dirty file parser. +@@ -121,13 +117,6 @@ for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue +- +- cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) +- if cert.not_valid_after < datetime.datetime.utcnow(): +- print('!'*74) +- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) +- print('!'*74) +- + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ +-- +2.20.1 + diff --git a/recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch b/recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch new file mode 100644 index 0000000..d7c5ee8 --- /dev/null +++ b/recipes-support/ca-certificates/ca-certificates/0005-blacklist-expired-CA.patch @@ -0,0 +1,9 @@ +diff -uprN a/mozilla/blacklist.txt b/mozilla/blacklist.txt +--- a/mozilla/blacklist.txt 2023-02-13 18:32:14.842445382 +0200 ++++ b/mozilla/blacklist.txt 2023-02-14 13:17:54.090381357 +0200 +@@ -12,3 +12,5 @@ + "DST Root CA X3" + "Cybertrust Global Root" + "GlobalSign Root CA - R2" ++"Staat der Nederlanden EV Root CA" ++"E-Tugra Certification Authority" diff --git a/recipes-support/ca-certificates/ca-certificates_%.bbappend b/recipes-support/ca-certificates/ca-certificates_%.bbappend index 107c58d..7a9af09 100644 --- a/recipes-support/ca-certificates/ca-certificates_%.bbappend +++ b/recipes-support/ca-certificates/ca-certificates_%.bbappend @@ -1,5 +1,11 @@ -PR = "r1" +PR = "r2" -# Toybox patch breaks busybox, which is what we use for mktemp -# This fixes the update-ca-certificates script. -SRC_URI_remove = "file://update-ca-certificates-support-Toybox.patch" +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRCREV = "88d98d1082e5d2d1f85e5cb42811da813db981c9" + +SRC_URI_remove = "file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch" + +SRC_URI_append = " \ + file://0004-Update-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ + file://0005-blacklist-expired-CA.patch " |